Re: front-end OWA server

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Vic (macanas_at_gmail.nospman.com)
Date: 01/03/05 

Date: Mon, 3 Jan 2005 14:29:01 -0800

The OWA server sits on the DMZ with an internal address off 192.168.100.xxx
NATING to an external address of 208.xxx.xxx.xxx so it can be accessible
from the internet. The internal network is on a 192.168.10.xxx subnet and is
routable with the DMZ network for security purposes. Also the OWA server is
part of the domain in which the main Exchange server resides. When the OWA
server is on the DMZ it is accessible from any of the internal subnets, but
when entering a username and password authentication fails. The next phase
would be to open the SSL (443) port so the OWA site can be accessible from
the internet. That is we still stand.

Vic

"Skipster" <Skipster@discussions.microsoft.com> wrote in message
news:89528C39-8392-4E9E-A29C-E5858C575FB0@microsoft.com...
> Vic
>
> Is the OWA server part of the same domain as the exchange server? and from
> looking at your diagram I am not sure why you opened up all those ports on
> your firewall. Depending on the type of router that you are using you
should
> be able to go to https://owa/exchange from the LAN subnet and be able to
> authenticate. You should not have to route through the firewall to make
this
> request so the firewall should not be the issue with not being able to
> authenticate. When an internal client goes to https://owa/exchange your
> router should forward the request to this server, there shoudl be no
NATING
> going on with this traffic. All the NATING should be happening on your
> firwall facing the internet and the internet facing the DMZ interface. It
> sounds like you have NAT going on with the DMZ subnet and the local LAN
> subnet and this can be your issue when trying to authenticate.
>
>
>
> "Vic" wrote:
>
> > This is good recommendation, but our DMZ is a sepereate subnet that can
> > route to the internal network (DMZ 192.168.100.xxx/Internal
192.168.50.xxx).
> > So all devices in the DMZ subnet could use NAT to an external IP
address.
> > This is why we would like to keep the front-end OWA server on the DMZ.
> >
> > "Andy David - Exchange MVP" <adavid@pleasekeepinngcheesebucket.com>
wrote in
> > message news:4eldt0l9cftehbd7v61m41qdf6kpkdje5i@4ax.com...
> > > Put OWA back behind the firewall. Use ISA or other simliar products in
> > > the DMZ and reverse proxy OWA out.
> > >
> > >
> > >
> > > On Fri, 31 Dec 2004 09:36:31 -0800, "Vic" <macanas@gmail.nospman.com>
> > > wrote:
> > >
> > > >I have setup a front-end OWA server to allow remote users to read
their
> > mail
> > > >remotely (obviously). The problem I encountere is as follows; the OWA
is
> > on
> > > >a DMZ and can be accessed from the internal network. When connecting
to
> > the
> > > >OWA server from the outside (public ip) I cannot even connect to the
> > site.
> > > >
> > > >Here is what our network looks like:
> > > >
> > > > Internet
> > > > |
> > > >***Router***
> > > > |_____DMZ-----OWA Front-End (Using NAT IP 208.xxx.xxx.xxx
> > > >ext/192.168.xxx.xxx int)
> > > > | Other Web Servers
> > > >***Firewall***
> > > > |
> > > >Internal Network (Win2k3)
> > > >1 Exchange2k3 Ent. Server
> > > >2 Win2k3 DC's
> > > > |
> > > > Clients, etc.
> > > >
> > > >When connecting internally to the OWA using (https://owa/exchange), I
can
> > > >connect but cannot authenticate to the using any account allowed OWA
> > access.
> > > >When I bring the server back out of the DMZ and into the internal
> > network,
> > > >authentication works just fine.
> > > >
> > > >Here is a list of ports that have been opened on the Firewall:
> > > > a.. For Exchange Communication:
> > > > a.. Port 80 for HTTP
> > > > b.. Port 443 for SSL
> > > > c.. Port 691 for Link State Algorithm routing protocol
> > > > b.. For Active Directory communication:
> > > > a.. Port 389 for LDAP (TCP and UDP)
> > > > b.. Port 3268 for Global Catalog Server LDAP (TCP)
> > > > c.. Port 88 for Kerberos Authentication (TCP and UDP)
> > > >Can anyone please help?
> > > >
> > > >Thanks,
> > > >Vic
> > > >
> > >
> >
> >
> >
> >

Relevant Pages

  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... NAT, and the DMZ, since it's already secured, is a good place to tack ... If the "company" is not offering services to the Internet, ... and connections to the internal LAN should ... be by means of a second interface on the server. ...
    (comp.security.firewalls)
  • Re: Man gets nine years for spamming
    ... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ...
    (alt.computer.security)
  • Re: Prividing Intranet Website Access To External Users
    ... I really wouldnt like to be having my company intranet on the ... I would probably integrate the ldap/dc as a security server on the ... >> The web server will be in the DMZ, and only port 443 will be ... >> intranets to the internet in a secure manner. ...
    (Security-Basics)
  • Re: front-end OWA server
    ... The OWA server sits on the DMZ with an internal address off 192.168.100.xxx ... from the internet. ...
    (microsoft.public.exchange.misc)
  • Re: front-end OWA server
    ... "swiss cheese" with all these ports open. ... The ISA server is my next ... > allowing from the router to the server on the DMZ? ... then you dont really need to cut of the OWA server on ...
    (microsoft.public.exchange.admin)